add: prevent supporters from modifying their own accounts via support

[gigi.git] / util-testing / org / cacert / gigi / pages / Manager.java

diff --git a/util-testing/org/cacert/gigi/pages/Manager.java b/util-testing/org/cacert/gigi/pages/Manager.java
index 2fd78ba7195bf3b84618e5b8df46e00d8015ed15..ec709a1700733291bcfa0532ee4f3f30fd1cf4f6 100644 (file)
--- a/util-testing/org/cacert/gigi/pages/Manager.java
+++ b/util-testing/org/cacert/gigi/pages/Manager.java
@@ -296,16 +296,16 @@ public class Manager extends Page {
                 resp.getWriter().println("User not found.");
                 return;
             }
-            if (req.getParameter("addpriv") != null) {
-                try {
+            try {
+                if (req.getParameter("addpriv") != null) {
                     u.grantGroup(getSupporter(), Group.getByString(req.getParameter("priv")));
-                } catch (GigiApiException e) {
-                    throw new Error(e);
+                    resp.getWriter().println("Privilege granted");
+                } else {
+                    u.revokeGroup(getSupporter(), Group.getByString(req.getParameter("priv")));
+                    resp.getWriter().println("Privilege revoked");
                 }
-                resp.getWriter().println("Privilege granted");
-            } else {
-                u.revokeGroup(u, Group.getByString(req.getParameter("priv")));
-                resp.getWriter().println("Privilege revoked");
+            } catch (GigiApiException e) {
+                throw new Error(e);
             }
         } else if (req.getParameter("fetch") != null) {
             String mail = req.getParameter("femail");